Scammers got my in laws PC, any suggestions

[JimKiler]

My in laws have a Win10 desktop and were told their modem was broken and some sort of we will refund you 560 dollars but when he entered that amount it was 5,600 and was supposed to go to the bank and get money out. Luckily he did not take money out of the bank. But now his computer appears to be hijacked. His desktop background and files are gone. The download folder and picture folders are empty. I no longer see Google Chrome installed. I have my admin account on their PC but when i went to switch users it told me something about my account not working/setup, what have you. Well then i could not switch back to the working account. I finally rebooted and hit F8 and got into safe mode. From safe mode i could switch accounts back to my in laws. Then i rebooted and am back into the desktop but again everything is gone. I found teamviewer installed.

I am attempting to do a reset of windows which keeps files. I am not sure if it will work. I had restore setup but they must have deleted those because there are none. I am searching for excel files since my in laws had finances on a sheet.

Any suggestions. I thought these guys just got victims to send money. I am not familiar with them destroying files, stealing files, or whatever they did. I am not sure if malware was put on. I installed Malwarebytes and when it does a scan says nothing so i am thinking they deleted files but the recycle bin is empty. I will have to try a file recovery app.

Just looking for a best course of action here.

 

[VirtualLarry]

Just looking for a best course of action here.

Nuke it from orbit, because you can't trust anything on there now, and pray that they made some off-line backups at some point of their important docs.

Those scammers, as you found out, are VERY insidious.

 

[mindless1]

Of course they go after files, this is how they try to make people pay to get back what they lost. Sometimes they encrypt and/or move them, you could look for new files but I tend to agree with VL that if you can't find them (I'd have immediately shut the system off, pulled the drive and scanned on another system, not boot that one!), then it is time to nuke it from orbit.

Personally, I also find it handy to not put user pics/docs etc on the same partition as windows. I make a regular backup of the windows partition but I also make more frequent backups of user data on a different one, by mirroring the files in certain folders rather than a partition backup.

This might also obscure the files from scammers a little too, with them not being in the expected locations, though if they searched for JPG, XLS, etc typical file extensions then your only recourse is an offline backup, and of course, to practice safer computing so you don't get infected in the first place.

 

[JimKiler]

I am using recuva to get back the files that i can then I will "nuke it from orbit". I am leaning on they did not put malware on it but i cannot be certain so this is the best way.

I used to think everyone has to be diligent to protect themselves from scams but in the last year i realized anyone can become a victim under the right circumstances. I talked to a PC security guy and he was ready to believe a scammer who claimed to have his college son hostage when called in the middle of the night.

 

[Captante]

I've actually been "hit" with ransomware including the infamous "FBI virus" multiple times, however between Sandboxie+ and Malwarebytes Pro PLUS being super-quick pressing reset the worst thing that's happened was my my Firefox installation got trashed.

Even the times that I APPEARED to have stopped the malware infection in its tracks, I not only "nuked" the Windows install with a full-format, I then proceeded to "zero-fill" it too just to be safe. (I make regular full backups having learned the hard way in the past)


EDIT:

And one final sobering thought.... BY FAR the most important factor in determining how likely a person is to fall for a "confidence-game" (aka: scam) is how "impervious" to scams they believe they are!

 

[balloonshark]

I've actually been "hit" with ransomware including the infamous "FBI virus" multiple times, however between Sandboxie+ and Malwarebytes Pro PLUS being super-quick pressing reset the worst thing that's happened was my my Firefox installation got trashed.

Even the times that I APPEARED to have stopped the malware infection in its tracks, I not only "nuked" the Windows install with a full-format, I then proceeded to "zero-fill" it too just to be safe. (I make regular full backups having learned the hard way in the past)

We are running the same setup. It's always nice to see a fellow Sandboxie user

 

[mindless1]

I'd just restore the last partition backup, having backed up important user data, more frequently, elsewhere.

However it's been ages since I was infected with anything, so long ago I barely remember, maybe 2002... something about using a browser I stumbled upon a Russian FTP site for eBooks (in english), downloaded a ton of stuff but browser was also exploited. IIRC back then I was using Powerquest Driveimage and restored the partition backup it made.

 

[compcons]

Repalce the hard drive. Reinstall Windows. Connect the old one via USB enclosure and see if any files are viable. Continuing to use a compromised windows install only creates more exposure. Be done with that one. Spend $100 on a new drive and stop messing around with user accounts and restores.

 

[Shmee]

And when you replace the drive, make sure it is an SSD.

 

[JimKiler]

I did wipe the drive and reinstall windows after doing a file recovery. unfortunately the recovery pulls 10+ copies of every file but that is for my in laws to go through and keep/delete the ones they want. I don't think they lost anything. Well maybe some pictures but you know how it is, people want copies of photos and then do nothing with them so if they are missing any, they will not figure it out.

Every time i see my father in law he brings up how he is still kicking himself for falling for it but at least they did not get any money.